b'W                                                                          September 9, 1999\n\n\nTO:            AO/Chief Information Officer\n\nFROM:          W/Assistant Inspector General for Auditing\n\nSUBJECT:       Final Report on the Year 2000 Date Conversion \xe2\x80\x93 Assessment Phase Summary\n               Assignment Number A9902500\n               Report Number IG-99-035\n\n\nThe subject final report is provided for your information and use. Please refer to the Executive\nSummary for overall audit results. The draft of this report contained no recommendations, and\nmanagement was not required to and chose not to provide comments.\n\nIf you have questions concerning the report, please contact Mr. Brent Melson, Program Director,\nInformation Assurance Audits, at (202) 358-2588, or Ms. Clara Lyons, Auditor-in-Charge, at\n(216) 433-8985. We appreciate the courtesies extended to the audit staff. The report distribution\nis in Appendix E.\n\n[original signed by]\n\nRussell A. Rau\n\nEnclosure\n\ncc:\nB/Chief Financial Officer\nG/General Counsel\nH/Associate Administrator for Procurement\nJM/Management Assessment Division\n\x0cbcc:\nAIGA, IG, Reading (w/o Encl.) Chrons\nAO/Audit Liaison Representative\n\x0c                                                     IG-99-035\n\n\n\n\nAUDIT\n                           YEAR 2000 DATE CONVERSION \xe2\x80\x93\nREPORT                       ASSESSMENT PHASE SUMMARY\n\n                                 September 9, 1999\n\n\n\n\n                           OFFICE OF INSPECTOR GENERAL\n\nNational Aeronautics and\nSpace Administration\n\x0cAdditional Copies\n\nTo obtain additional copies of this report, contact the Assistant Inspector General for Auditing at\n(202) 358-1232, or visit www.hq.nasa.gov/office/oig/hq/issuedaudits.html.\n\nSuggestions for Future Audits\n\nTo suggest ideas for or to request future audits, contact the Assistant Inspector General for\nAuditing. Ideas and requests can also be mailed to:\n\n               Assistant Inspector General for Auditing\n               NASA Headquarters\n               Code W, Room 8V69\n               300 E Street, SW\n               Washington, DC 20546-0001\n\nNASA Hotline\n\nTo report fraud, waste, abuse, or mismanagement, contact the NASA OIG Hotline at\n(800) 424-9183, (800) 535-8134 (TDD), or at www.hq.nasa.gov/office/oig/hq/hotline.html#form;\nor write to the NASA Inspector General, P.O. Box 23089, L\xe2\x80\x99Enfant Plaza Station, Washington,\nDC 20026. The identity of each writer and caller can be kept confidential, upon request, to the\nextent permitted by law.\n\n\n\n\nAcronyms\n\nIT             Information Technology\nBCCP           Business Continuity and Contingency Plan\nCIO            Chief Information Officer\nCOTS           Commercial-off-the-Shelf\nDCAA           Defense Contract Audit Agency\nDCMC           Defense Contract Management Command\nGAO            General Accounting Office\nJPL            Jet Propulsion Laboratory\nOMB            Office of Management and Budget\nY2K            Year 2000\n\x0cContents\n\n\n\nExecutive Summary, i\n\nIntroduction, 1\n\nNASA\'s Assessment Process, 2\n\n     NASA\xe2\x80\x99s Y2K Inventory Process, 2\n\n     Mission-Critical Classification, 5\n\n     Inventory Updates, 7\n\n     Conversion Strategies, 8\n\n     External Data Interfaces/Exchanges, 9\n\n     Contingency Plans, 10\n\nAppendix A - Objectives, Scope, and Methodology, 11\n\nAppendix B - Summary of Prior Coverage, 13\n\nAppendix C - Y2K Five-Phase Approach, 15\n\nAppendix D - NASA Inventory Items Reviewed, 16\n\nAppendix E - Report Distribution, 18\n\x0c                              NASA Office of Inspector General\n\nIG-99-035                                                                            September 9, 1999\n A9902500\n\n                      Year 2000 Date Conversion Assessment Phase\n                                   Summary Report\n\n\n                                        Executive Summary\n\n\nBackground. The Year 2000 (Y2K) date conversion problem could affect computer systems\nworldwide. Many computer systems and applications use a standard two-digit format\n(MM/DD/YY) to generate a date. The two-digit number representing the year may cause failures\nin arithmetic, comparisons, sorting, and input/output to databases or files as of January 1, 2000,\nbecause computers may not be able to distinguish between 1900 and 2000.\n\nThe Y2K assessment phase process includes identifying and evaluating all aspects of information\nsystems that may be affected by date calculations. After identification, strategies to test for date\ncompliance, correct identified problems, develop contingency plans, and estimate costs must be\nin place. NASA is using a management approach for its Y2K program that is consistent with,\nand supportive of, the Agency\xe2\x80\x99s framework for strategic and program management.\n\nObjectives. The overall objective of our audit was to determine whether NASA has adequately\nassessed the magnitude of its Y2K efforts and accurately reported the results of its assessment to\nthe Office of Management and Budget (OMB). Appendix A contains our specific objectives and\nadditional information on scope and methodology. The Office of Inspector General has other\nongoing audits addressing NASA\xe2\x80\x99s Y2K renovation, validation, and implementation efforts.\n\nResults in Brief. Overall, NASA established demanding goals and processes to provide\nreasonable assurance that Y2K date conversion problems have been adequately identified. This\nreport provides a summary of how seven NASA Centers1 addressed the goals related to the Y2K\nAssessment Phase. The Centers we reviewed incorporated into their respective Y2K projects the\nprocesses for:\n\n\xe2\x80\xa2   identifying inventory items,\n\xe2\x80\xa2   classifying items by criticality,\n\xe2\x80\xa2   updating the Y2K inventory,\n\xe2\x80\xa2   developing conversion strategies,\n\n1\n The Centers included Ames Research Center, Glenn Research Center, Goddard Space Flight Center, Jet Propulsion\nLaboratory, Johnson Space Center, Kennedy Space Center, and Marshall Space Flight Center.\n\x0c\xe2\x80\xa2   testing for compliance,\n\xe2\x80\xa2   identifying and evaluating data exchanges and interfaces, and\n\xe2\x80\xa2   developing strategies for contingency plans.\n\nThe processes in place generally allowed NASA to report adequate data to OMB on a quarterly\nbasis.\n\nHowever, we identified several opportunities for improving NASA Assessment Phase activities\nin a September 30, 1998, report, \xe2\x80\x9cYear 2000 Date Conversion \xe2\x80\x93 Assessment Phase\xe2\x80\x9d (Report\nNumber IG-98-040). The report contains recommendations regarding NASA\xe2\x80\x99s Y2K assessment\neffort. See Appendix B for a summary of the report.\n\nRecommendations. This report contains no recommendations for corrective action, and\nmanagement did not provide comments.\n\n\n\n\n                                                ii\n\x0cIntroduction\n\nThe President issued Executive Order 13073, \xe2\x80\x9cYear 2000 Conversion,\xe2\x80\x9d February 4, 1998, to\naddress the magnitude and potential effects of the Y2K problem in the Federal Government. The\nPresident directed Federal agencies to ensure that no critical Federal program would be disrupted\nbecause of Y2K problems. OMB Memorandum 97-13, \xe2\x80\x9cComputer Difficulties Due to the Year\n2000 \xe2\x80\x93 Progress Reports,\xe2\x80\x9d May 7, 1997, requires some Federal agencies, including NASA, to\nprovide quarterly reports on progress in addressing the Y2K problem. OMB also established a\nstandard reporting format for the quarterly reports. In addition, OMB Memorandum 98-02,\n\xe2\x80\x9cProgress Reports on Fixing Year 2000 Difficulties,\xe2\x80\x9d January 20, 1998, outlined several new\nreporting requirements. As a result of the requirements, NASA must report, among other things,\n(1) progress in identifying and fixing mission-critical and nonmission-critical systems, (2) cost\nestimates for fiscal years 1996 through 2000, (3) efforts to identify data exchanges, and (4) the\napproach for contingency planning. In addition, the General Accounting Office (GAO) issued\nGAO/AIMD-10.1.14, \xe2\x80\x9cYear 2000 Computing Crisis: An Assessment Guide,\xe2\x80\x9d in September\n1997. The guide presents a structured approach and a checklist to aid Federal agencies in\nplanning, managing, and evaluating their Y2K programs. It also outlines key processes for\nassessment activities including identifying, assessing, prioritizing, and analyzing an agency-wide\ninventory.\n\nThe NASA Administrator initiated the Y2K program in 1996 and is accountable for its overall\nsuccess. He delegated overall accountability and responsibility for the Y2K program to the\nNASA Chief Information Officer (CIO). Further, a Y2K program manager, who reports directly\nto the NASA CIO, has day-to-day responsibility for managing the program. Enterprise Associate\nAdministrators and NASA Center Directors are accountable for ensuring that Y2K program\nrequirements are met within their respective areas of responsibility. Enterprise CIO\nrepresentatives have been assigned and are responsible for coordinating Y2K progress at the\nCenters for which they have responsibility. Center CIO representatives have been assigned and\nare responsible for ensuring that all Y2K problems or deficiencies are identified, planned for, and\nresolved on schedule and within budget.\n\x0cNASA\xe2\x80\x99s Assessment Process\n\nNASA\xe2\x80\x99s Y2K Inventory Process\n\nThe Agency issued \xe2\x80\x9cThe Year 2000 Problem; Planning and Data Collection,\xe2\x80\x9d on August 9, 1996,\nrequiring Center CIO representatives to identify, plan, and resolve Center Y2K problems. The\nNASA CIO requested that each Center CIO representative perform data collection in two phases.\nIn the first phase, the CIO representatives were to complete a preliminary inventory of Center\ncommercial-off-the-shelf (COTS)2 and non-COTS products. The Center CIO representatives\nwere to identify COTS and non-COTS software, the platforms on which the products operated,\nnames and version numbers of the products, and the names and addresses of the vendors or\ncontractors that supported the products. The CIO instructed the Centers to provide, by\nAugust 22, 1996, a preliminary inventory; a rough cost estimate, by fiscal year; and a prioritized\nlist of all non-COTS products for change or replacement. The second phase, to be completed by\nOctober 1, 1996, was to ensure that the COTS and non-COTS inventory was comprehensive,\ncomplete, and accurate. In addition, the CIO asked the Centers to provide a reliable cost\nestimate, by fiscal year, and the dates by which the prioritized list of all non-COTS products\nwould be changed or replaced.\n\nThe August 9, 1996, initiative also made Information Technology (IT) Lead Centers responsible\nfor collecting, consolidating, and integrating the data for all COTS products within their areas of\nresponsibility. The table shows the Lead Centers and their respective COTS products.\n\n\n                                      IT Lead Center Responsibilities\n\n                                Center                          Type of COTS Products\n\n                      Ames Research Center                       Supercomputers\n                      Glenn Research Center                  Workstation and file servers\n                    Marshall Space Flight Center            Communication and mainframes\n\n\nJohnson Space Center (Johnson) is responsible for identifying IT activities involving\ninternational partners, including data interface/exchange and communication equipment not\ncovered by the Marshall Space Flight Center (Marshall) in its lead center role for communication\nand mainframe COTS products. The Headquarters Office of Management Systems is responsible\nfor Agency-wide legacy systems. Each Center is responsible for evaluating its own non-COTS\nsoftware for Y2K problems and for planning necessary corrective actions.\n\nIn April 1997, NASA incorporated the IT Lead Center approach in its first Y2K Project Plan,\nwhich outlined project goals, objectives, responsibilities, strategies, and reports. The project plan\n\n2\n    COTS products are hardware and software that can be purchased commercially.\n\n\n                                                            2\n\x0calso included Center-specific project plans based on OMB\xe2\x80\x99s required, Y2K, five-phase sequential\napproach: awareness, assessment, renovation, validation, and implementation. Details on the\nfive-phase approach are in Appendix C.\n\nIn December 1997, the CIO and the Y2K Program Manager met with all Y2K project managers\nand Center CIO representatives to initiate a rebaselining3 of the Y2K inventory. In addition to\nreworking various Y2K schedules to meet new OMB Government-wide goals, the rebaselining\nincluded adjustments to the Y2K inventory as a result of NASA-identified deficiencies in\ninventory reporting. For example, several Centers did not include business systems and various\nNASA aircraft as mission-critical inventory items for OMB reporting purposes. In addition,\nAmes Research Center (Ames) and Langley Research Center (Langley) were to perform\nsignificant reassessments of their respective inventories. NASA has followed up the rebaselining\nactivities with continued assessments of Y2K effects on the Agency. The efforts have and\ncontinue to include a range of techniques from focused interviews and surveys of NASA\npersonnel to structured workshops. NASA plans to continue to reassess its position through\n1999.\n\nAudit Results\n\nThe Centers organized individual Y2K project teams to identify potential Y2K problems with\ntheir respective inventories. Although the names and organizational structures of the Center\nY2K project teams varied at the Centers we reviewed, it was evident that a concerted effort had\ntaken place. For example, the Marshall CIO formed a Y2K Working Group consisting of\nrepresentatives from every major Marshall Enterprise. The representatives were responsible for\nadvocating, coordinating, and facilitating various Y2K activities for their respective\norganizations. In addition, the Enterprise\xe2\x80\x99s organizational components were responsible for\nidentifying IT systems for inclusion in the Y2K inventory. The Jet Propulsion Laboratory (JPL)\nestablished the Y2K Implementation Integration Project and, similar to Marshall\xe2\x80\x99s efforts, staffed\nit with a Y2K Project Manager and directorate and office representatives.\n\nThe Center Y2K project teams used various strategies to identify inventory items. For the most\npart, the strategies involved the knowledge and expertise of hundreds of personnel NASA-wide.\nThe personnel used configuration management systems, source code libraries, hardware\ninventories, and personal experience to identify items for inventory purposes.\n\nOne of the main variations among the Centers was the definition of a \xe2\x80\x9csystem.\xe2\x80\x9d We reviewed a\njudgmental sample of inventory items (Appendix D) to evaluate the processes the Centers used to\nidentify all components of an item during the assessment phase. In some cases, a NASA\ninventory line item included hundreds of subsystems and components. In other cases, the line\nitem was an application that was a component of a much larger system. The initial NASA\ndefinition of a system was subjective and allowed for a great degree of latitude when developing\nstrategies to assess Y2K problems. This was further evidenced in July 1998, when the CIO\n\n\n3\n Rebaselining refers to NASA evaluating Y2K progress and milestones in order to meet and be consistent with\nchanges to OMB\xe2\x80\x99s Government-wide goals and requirements.\n\n\n                                                           3\n\x0cprovided the following definition of an inventory item for the first time in the \xe2\x80\x9cNASA Y2K Test\nand Certification Guidelines and Requirements\xe2\x80\x9d:\n\n              A NASA inventory item may be an IT system, non-IT system, application,\n              hardware component, software component, firmware, or COTS product. An\n              inventory item may be a combination of custom software, hardware, and COTS\n              products, or any component item.\n\nThe guidance made the Centers responsible for determining which inventory items were to be\nassessed, corrected, validated, or certified compliant for Y2K purposes.\n\nWe also reviewed the efforts of the NASA Lead Centers in identifying and communicating the\ncompliance status of COTS products. Although the Lead Centers had unique processes in place\nfor identifying COTS products, the Centers did not adequately communicate accumulated data to\nother Centers. Our audit report IG-98-040, \xe2\x80\x9cYear 2000 Date Conversion \xe2\x80\x93 Assessment Phase,\xe2\x80\x9d\nSeptember 30,1998, recommended that NASA share information on the status of COTS products\nand establish processes to reduce redundancy of evaluation efforts (see Appendix B).\n\nEach Center we reviewed had staffed a team to manage the Y2K effort including the inventory\nprocess. NASA incorporated processes to adequately accumulate and report Y2K inventories to\nOMB. In addition, NASA generally developed and used processes consistent with the guidelines\nin GAO\xe2\x80\x99s \xe2\x80\x9cYear 2000 Computing Crisis: An Assessment Guide,\xe2\x80\x9d dated September 1997.\n\n\n\n\n                                                      4\n\x0cMission-Critical Classification\n\nIn January 1997, the Congress tasked the OMB to accumulate and report information\nsummarizing Federal agencies\' Y2K progress. Accordingly, OMB required some Federal\nagencies, including NASA, 4 to provide quarterly reports on progress in addressing the\ndifficulties relating to the Y2K problem. As part of the OMB reporting requirements, NASA was\nto report its progress in identifying and fixing mission-critical systems. To meet this\nrequirement, NASA reevaluated its initial COTS/non-COTS inventories. In the absence of an\nOMB Government-wide definition of mission critical, on April 23, 1997, the CIO provided the\nfollowing definition as part of the Y2K metrics for measuring Y2K progress:\n\n                  At a minimum, the mission critical systems will include:\n\n                  \xe2\x80\xa2   The major NASA computer programs and systems listed in Enclosure A.5\n\n                  \xe2\x80\xa2   Any other IT or non-IT resources (facilities, bio-medical devices, and other\n                      electronic devices) which are identified as vulnerable to the Year 2000\n                      problem and which Headquarters or Center CIO\xe2\x80\x99s determine could cause\n                      loss of life, serious injury, breach of security, compromise of a NASA\n                      mission, or significant disruption of services needed to carry out NASA\xe2\x80\x99s\n                      business.\n\nIn May 1997, NASA reported 453 mission-critical systems in its initial quarterly submission to\nOMB. NASA reduced this number by 301 as a result of its December 1997 rebaselining effort.\nThe reduction was attributable to eliminating the Marshall business system COTS items that had\nbeen misclassified as mission critical. Accordingly, NASA reported 158 mission-critical items to\nthe OMB in February 1998.\n\nAfter its rebaselining efforts, NASA redefined mission-critical items through an April 1998\nrevision to its Y2K Program Plan. The Centers were to classify an inventory item as mission\ncritical if it met one of the following criteria:\n\n                  \xe2\x80\xa2   Requires special management attention because of its importance to the\n                      Agency mission or impact on the administration of Agency programs,\n                      finances, property, or other resources.\n\n                  \xe2\x80\xa2   Involves functions that affect safety or human life.\n\n                  \xe2\x80\xa2   Is a high-risk or impact system in that a negative impact would place NASA\n                      at significant or irreparable damage.\n\n                  \xe2\x80\xa2   Has significant financial value.\n\n\n4\n  OMB initially required 28 Federal agencies to report quarterly on the status of their Y2K efforts and later added\nselected small agencies.\n5\n  Enclosure A included a list of major NASA IT investments that require special management attention because of\ntheir importance to the Agency mission; or high-development, operating, or maintenance costs; or high risk or high\nreturn; or significant impact on the administration of Agency programs, finances, property, or other resources.\n\n\n                                                              5\n\x0cAlthough the revised definition was more specific for Center use, NASA reported the same 158\nmission-critical items to OMB. As of May 15, 1999, the only change to the list was the\nretirement of one system, leaving the reported total of mission-critical items at 157.\n\nAudit Results\n\nNASA first classified applicable inventory items as mission-critical as a result of the OMB\nrequirement for Federal agencies to report the status of mission-critical systems in May 1997. As\ndiscussed earlier, the NASA CIO defined mission critical for Center use. While the Centers had\ndifferent interpretations of the definition, each had a process in place to evaluate the mission\ncriticality of its inventory items. The Centers\' evaluations addressed the mission criticality of\neach inventory item we reviewed in order to provide adequate input to OMB. The processes\ngenerally complied with guidelines on prioritizing conversion or replacement strategies outlined\nin GAO\xe2\x80\x99s \xe2\x80\x9cYear 2000 Computing Crisis: An Assessment Guide,\xe2\x80\x9d dated September 1997.\n\n\n\n\n                                                   6\n\x0cInventory Updates\n\nNASA\xe2\x80\x99s Y2K Program Plan assigned various responsibilities including updating the inventory.\nConcurrent with this effort, the Centers developed individual project plans. The Center Y2K\nProject Manager, the Center CIO representative, and the Center Director reviewed the project\nplans. At the Agency level, the respective Enterprise CIO Representative and the Enterprise\nAssociate Administrator having institutional management responsibilities reviewed the project\nplans. The Centers, in coordination with NASA CIO\xe2\x80\x99s office, designed the plans to define and\nschedule all activities (including the inventory process), allocate appropriate resources, and meet\nreporting and review requirements.\n\nThe Agency closely monitors changes to both the NASA Y2K Program Plan and any of the\nCenter project plans. The NASA CIO reviews and approves, with the concurrence of each\nEnterprise, changes and updates to the NASA Y2K Program Plan. Further, the NASA CIO\noffice collects, reviews, and verifies Y2K performance reports for all the Enterprises and Centers.\nThe Y2K Program Manager completes validation and verification of performance reports\nthrough a variety of methods. Those methods include comparing performance reports with\nrespective plans and schedules and continuous monitoring of performance through weekly\nteleconferences, reviews, and interaction with Y2K personnel.\n\nAudit Results\n\nTo meet the performance goals outlined in the Agency and Center Y2K plans, each Center\ninstituted various tracking methods for its Y2K inventory. Although varying in complexity, the\nCenters used inventory tools ranging from simple spreadsheets to complicated relational\ndatabases. To aid those efforts, NASA instituted various controls6 to restrict access to the tools\nand accompanying data to individuals at the Centers responsible for tracking and evaluating the\nY2K inventory. For the systems we reviewed, the Centers were updating the inventories on a\nregular basis. In addition, the Centers had processes in place to ensure that the appropriate level\nof management review occurred in order to provide adequate data for the Agency\xe2\x80\x99s quarterly\nprogress report to OMB.\n\n\n\n\n6\n NASA controls limit access to various control documents and electronic media. We did not evaluate the controls\nand do not express an opinion on their adequacy.\n\n\n                                                           7\n\x0cConversion Strategies\n\nA key follow-on activity to analyzing and testing inventory items for Y2K compliance is\ndeveloping a strategy to resolve items that are not Y2K compliant. The CIO required all Centers,\nincluding IT COTS Lead Centers, to prioritize their efforts in developing strategies for corrective\nactions. The Centers reported the strategies to the CIO on a quarterly basis for inclusion in\nNASA\xe2\x80\x99s quarterly progress report to the OMB. The Centers reported an inventory item as being\ncompliant, repaired, replaced, or retired. As part of the December 1997 rebaselining activities,\nthe CIO published guidelines defining the various corrective action statuses:\n\n                \xe2\x80\xa2   Compliant: an inventory item is treated as compliant if it meets one of four\n                    criteria: (1) it is in development and life cycle management will\n                    accommodate compliance requirements; (2) it is a new acquisition and\n                    compliance will be accommodated; (3) it has been tested and certified as\n                    Y2K compliant; or (4) it is not date affected.\n\n                \xe2\x80\xa2   Repair: software, hardware, or firmware components will be modified,\n                    tested, and implemented.\n\n                \xe2\x80\xa2   Replace/Upgrade: the inventory item will be replaced with a new Y2K\n                    compliant item that provides comparable functionality. For COTS items,\n                    upgrades are classified as replace/upgrade.\n\n                \xe2\x80\xa2   Retire/Discontinue: the inventory item will leave the NASA inventory due\n                    to Y2K or other reasons. No replacement item is anticipated. For COTS\n                    items, the product will leave the NASA inventory with no anticipated\n                    upgrade.\n\nOnce the Centers determined a strategy, it began to identify validation strategies, interface/data\nexchange issues, and resource requirements.\n\nAudit Results\n\nWe reviewed the Centers\xe2\x80\x99 processes for identifying conversion strategies. Specifically, we\ndiscussed the strategies with personnel accountable for the actions and reviewed applicable\ndocumentation. NASA had identified a conversion plan for each of the inventory items in our\nsamples. The Agency\'s processes for identifying conversion strategies allowed for adequate\nOMB reporting and were generally consistent with guidelines outlined in GAO\xe2\x80\x99s \xe2\x80\x9cYear 2000\nComputing Crisis: An Assessment Guide,\xe2\x80\x9d dated September 1997.\n\n\n\n\n                                                           8\n\x0cExternal Data Interfaces/Exchanges\n\nNASA initiated its efforts at identifying external data interfaces7 related to mission-critical\ninventory items as part of its overall Y2K program established in 1996. The CIO\xe2\x80\x99s\nmemorandum, \xe2\x80\x9cThe Year 2000 Problem; Planning and Data Collection,\xe2\x80\x9d August 9, 1996,\noutlined an overall approach for handling the Y2K problem. The CIO included directives that\ntasked (1) Johnson to identify data exchanges/interfaces with international partners and (2) the\nCenters to identify all software and data interfaces, both internal and external, and coordinate any\nnecessary revisions with the appropriate parties. In early 1997, NASA identified about 100 date-\nsensitive data interfaces associated with mission-critical systems. For the most part, the\ninterfaces NASA identified were with Federal agencies and involved NASA\xe2\x80\x99s\nbusiness/administrative systems, such as systems that interface with the U.S. Treasury. By\nMarch 1998, NASA was to have contacted each external entity and develop transition plans.\n\nOMB Memorandum 98-02, \xe2\x80\x9cProgress Reports on Fixing Year 2000 Difficulties,\xe2\x80\x9d\nJanuary 20, 1998, requires a report on the status of external interfaces in the quarterly report.\nNASA first reported the status of data interface activities in its February 1998 quarterly report to\nOMB. As of May 1999, NASA has reported progress related to its mission-critical items for the\nInternational Space Station, Space Science Enterprise, Earth Science Enterprise, and Aeronautics\nEnterprise inventories.\n\nIn addition to providing information to OMB, NASA provided data to the GAO regarding data\ninterfaces. At the request of the Ranking Minority Member of the Subcommittee on Technology,\nHouse Committee on Science, GAO performed a Government-wide review to address the Y2K\nproblem associated with electronic data interfaces. NASA submitted to GAO information related\nto Agency-wide data interfaces with Federal, state, and local governments. The information did\nnot include international partners.\n\nAudit Results\n\nNASA personnel, including International Space Station, Earth Science, and Space Science\nprogram personnel, were responsible for identifying and evaluating external interfaces.\nDocumentation identifying external parties, types of interfaces, and external points of contact\nshowed that NASA personnel had contacted the external parties and were working with them to\neliminate Y2K concerns. Overall, NASA had various processes for identifying and working with\nexternal entities that were consistent with GAO guidelines. In addition, NASA had mechanisms\nin place to continually track the status of external interfaces allowing adequate updating of\ninformation provided to OMB.\n\n\n\n\n7\n An external data interface is a boundary across which two systems communicate. An interface may be a hardware\nconnector used to link devices or a convention (tape file, real-time electronic data interchange transaction, etc.) that\nallows communication between software systems.\n\n\n                                                               9\n\x0cContingency Plans\n\nIn addition to requiring agencies to report the status of external data interfaces, OMB\nMemorandum 98-02 requires agencies to report on contingency planning activities. In February\n1998, NASA initially reported on several initiatives to address the requirement for contingency\nplanning. As part of this effort, NASA identified two risk categories:\n\n       \xe2\x80\xa2   failure of a mission-critical item due to an uncorrected processing problem or to\n           corrective actions that have unforeseen operational consequences, or\n       \xe2\x80\xa2   failure introduced by the Y2K failures of others (for example, contractors,\n           international partners, and infrastructure service providers).\n\nIn June 1998, the CIO asked each Enterprise and Center, including Headquarters and the JPL, to\nprovide a description of business continuity and contingency planning (BCCP) strategy,\napproach, and overall schedule by September 1998. The CIO required a completed BCCP by\nMarch 31, 1999.\n\nEnterprises and Centers are responsible for preparing BCCP\xe2\x80\x99s to identify and assess Y2K risks to\nmissions, programs, and core business processes. The Enterprise BCCP\xe2\x80\x99s address each major\nprogram or project. Center BCCP\xe2\x80\x99s address core business processes and include contingency\nplans for high-risk, mission-critical systems.\n\nNASA issued the \xe2\x80\x9cNASA Year 2000 Business and Contingency Plan Guide,\xe2\x80\x9d January 1999,\nwhich contains guidance on preparing BCCP\xe2\x80\x99s, including common planning assumptions and a\nstandard planning template. The guidance requires Enterprise Associate Administrators to\nreview and approve Enterprise BCCP\xe2\x80\x99s. In addition, the Center Directors must approve the\nCenter BCCP, with concurrence by the Enterprise Associate Administrator who has institutional\nresponsibility. NASA requires the review of the BCCP\xe2\x80\x99s on a quarterly basis, at a minimum, to\nensure currency and applicability.\n\nAudit Results\n\nThe Centers provided BCCP planning strategies, approaches, and overall schedules to the CIO on\nSeptember 30, 1998. Although varying in design, the BCCP planning documents we reviewed\nindicated that strategies for developing contingency plans were in place. The plans were\nconsistent with OMB reporting requirements and GAO guidelines for identifying contingency\nstrategies. We are addressing contingency planning in more depth in another audit, Assignment\nNumber A9900801, "Year 2000 Program - Implementation Phase."\n\n\n\n\n                                                   10\n\x0c                  Appendix A. Objectives, Scope, and Methodology\n\n\n\nObjectives\n\nThe overall objective of the audit was to determine whether NASA has adequately assessed the\nmagnitude of the Y2K effort and is accurately reporting to OMB the results of its assessment.\nSpecifically, we evaluated whether Ames, Glenn Research Center (Glenn), Goddard Space Flight\nCenter (Goddard), JPL, Johnson, Kennedy Space Center (Kennedy), and Marshall had processes\nin place to:\n\n\xe2\x80\xa2   conduct a comprehensive inventory of IT systems and non-IT systems,\n\n\xe2\x80\xa2   appropriately classify systems as mission critical,\n\n\xe2\x80\xa2   update the system inventory on a periodic basis,\n\n\xe2\x80\xa2   test to identify the magnitude of the Y2K problem,\n\n\xe2\x80\xa2   identify conversion strategies,\n\n\xe2\x80\xa2   identify data exchanges and establish dialog with external parties,\n\n\xe2\x80\xa2   reasonably estimate the cost of fixing the Y2K problem, and\n\n\xe2\x80\xa2   develop strategies for contingency plans.\n\nReport IG-98-040 (see Appendix B) addresses issues related to Agency testing to identify the\nmagnitude of the Y2K problem and estimating the cost of fixing the Y2K problem.\n\nScope and Methodology\n\nIn evaluating our specific objectives at the seven Centers, we:\n\n\xe2\x80\xa2   Reviewed the NASA Y2K Program Plan.\n\n\xe2\x80\xa2   Reviewed NASA, OMB, and GAO guidance addressing Y2K efforts.\n\n\xe2\x80\xa2   Reviewed NASA\xe2\x80\x99s OMB quarterly reports.\n\n\xe2\x80\xa2   Reviewed the Centers\xe2\x80\x99 quarterly reports submitted to NASA Headquarters for inclusion in\n    the Agency\xe2\x80\x99s quarterly submission to OMB.\n\n\n\n\n                                                    11\n\x0cAppendix A\n\n\n\xe2\x80\xa2   Interviewed the NASA Y2K Program Manager and Center Y2K project managers at Ames,\n    Glenn, Goddard, Johnson, JPL, Kennedy, and Marshall.\n\n\xe2\x80\xa2   Interviewed appropriate personnel at Ames, Glenn, Goddard, Johnson, JPL, Kennedy, and\n    Marshall.\n\n\xe2\x80\xa2   Reviewed detailed inventories.\n\n\xe2\x80\xa2   Reviewed documentation supporting the assessment activities related to a specific sample of\n    inventory items (see Appendix D).\n\n\xe2\x80\xa2   Reviewed cost estimates and supporting documentation where available.\n\n\xe2\x80\xa2   Reviewed documentation supporting the identification and analyses of external data\n    exchanges, including GAO\xe2\x80\x99s January 1998 survey of NASA data exchanges.\n\n\xe2\x80\xa2   Reviewed strategies for developing contingency plans.\n\n\xe2\x80\xa2   Reviewed the \xe2\x80\x9cNASA Year 2000 Agency Test and Certification Guidelines and\n    Requirements.\xe2\x80\x9d\n\nAudit Field Work\n\nWe performed field work from June 1998 through June 1999 at Ames, Glenn, Goddard, Johnson,\nJPL, Kennedy, and Marshall. The audit was performed in accordance with generally accepted\ngovernment auditing standards.\n\n\n\n\n                                                  12\n\x0c                      Appendix B. Summary of Prior Coverage\n\n\n\nThe NASA Office of Inspector General has issued four reports relating to Y2K. These reports\nare summarized below. (Visit www.hq.nasa.gov/office/oig/hq/issuedaudits.html for a copy of the\nreports).\n\n\xe2\x80\x9cExemptions for Year 2000 Testing, Johnson Space Center,\xe2\x80\x9d IG-99-025, May 13, 1999. The\nFinancial Management Division completed testing of the Center Financial System before NASA\nissued the July 1998 guidance, but had not submitted a request for exemption from the guidance.\nThe Johnson CIO had not established procedures to implement the exemption process. Without\nthe exemption, the Johnson CIO lacks reasonable assurance that the Center Financial System will\nmeet the minimum NASA testing requirements for Y2K compliance. We recommended that\nmanagement establish and implement procedures for approving exemptions to NASA testing\nrequirements. Management concurred with the recommendations.\n\n"Year 2000 Program Compliance Requirements in NASA Information Technology-Related\nContracts," IG-99-022, March 31, 1999. NASA lacks reasonable assurance that its systems\nwill be Y2K compliant on January 1, 2000. The Agency issued Y2K guidance for installations to\nfollow when acquiring, operating, and maintaining information technology assets. The guidance\nrequired contracting officers to include a clause addressing Y2K in information technology\nsolicitations and new contracts. Also, contracting officers were required to modify the statement\nof work to address Y2K in existing information technology operation and maintenance contracts.\nEach of the six locations audited had included the NASA-directed Y2K requirements in the\nsolicitations and new contracts used to acquire information technology assets. However, JPL had\nnot included the NASA-directed requirements in all its applicable information technology\noperation and maintenance contracts as of January 31, 1999. JPL management attributed its\ndelay to other workload priorities. Untimely incorporation of the Y2K compliance requirements\ninto NASA contracts adversely affects the Agency\'s ability to meet OMB\'s milestones for Y2K\nrenovation, validation, and implementation phases and increases the potential for noncompliant\nAgency systems on January 1, 2000. Also, contractors may not be held accountable for ensuring\nY2K compliance if the requirements are not incorporated. We recommended that the NASA\nCIO (1) coordinate with the NASA Management Office at JPL to establish a target date(s) for\nJPL completion and (2) monitor JPL\'s progress in meeting the target date(s). Management\nconcurred with both recommendations. Corrective action was completed on the first\nrecommendation and is pending on the second.\n\n\xe2\x80\x9cYear 2000 Program Oversight of NASA Production Contractors,\xe2\x80\x9d IG-99-004,\nDecember 17, 1998. NASA lacks reasonable assurance that its production contractors will\nprovide Y2K-compliant data to support the Agency\xe2\x80\x99s key financial and program management\nactivities. This condition occurred because NASA had not asked the two principal Department\nof Defense agencies, the Defense Contract Audit Agency (DCAA) and the Defense Contract\nManagement Command (DCMC), which perform the contract administration and audit functions\nat NASA\xe2\x80\x99s contractor locations to conduct Y2K reviews at NASA\xe2\x80\x99s major contractor locations.\n\n\n                                                  13\n\x0cAppendix B\n\n\nAs a result, NASA risks using noncompliant data that may adversely affect the Agency\xe2\x80\x99s control,\nbudgeting, program management, and cost accounting activities. We recommended that NASA\nrequest DCAA and DCMC to assess Y2K compliance at major NASA contractor locations and\ntrack corrective action on identified deficiencies. In addition, we recommended that NASA\nestablish milestones for DCAA and DCMC progress in reviewing contractor Y2K compliance.\nManagement concurred with the intent of the recommendations.\n\n\xe2\x80\x9cYear 2000 Date Conversion \xe2\x80\x93 Assessment Phase,\xe2\x80\x9d IG-98-040, September 30, 1998. Some\nNASA Centers did not have documented support for Y2K cost estimates that were reported to\nOMB, and Centers did not prepare the estimates using a consistent methodology. In addition,\ndocumentation did not always exist to support the manner in which Center assessments and\ndecisions for Y2K compliance were conducted. The audit also showed that NASA Centers need\nto improve the sharing of information on the status of Y2K compliance associated with COTS\nproducts. We recommended that (1) NASA develop and issue guidance on the methodology the\nCenters should use in estimating and adjusting Y2K cost estimates and on maintaining\nsupporting documentation, (2) direct the Centers to identify all IT and non-IT systems that have\nbeen assessed for Y2K compliance and ensure that documentation supports the work performed\nand conclusions reached, and (3) direct the Center Directors to share all information on the status\nof COTS products and to establish processes to reduce redundancy of evaluation efforts.\nManagement did not concur with the recommendation concerning guidance for Y2K cost\nestimates, stating that adequate guidance on cost estimation had been provided to NASA Centers.\nWe reaffirmed our position on this recommendation and requested additional comments in the\nfinal report.\n\n\n\n\n                                                   14\n\x0c                               Appendix C. Y2K Five-Phase Approach\n\n\n\n\n                                             Year 2000 Conversion Model\nPlan and manage the year 2000 program as a single large information system development effort. Promulgate and enforce good\nmanagement practices on the program and project levels.\n                                                                   Define the Y2K problem and gain executive-level support and\n                                             Awareness             sponsorship. Establish Y2K program team, and develop an overall\n                                                                   strategy. Ensure that everyone in the organization is fully aware of\n                                                                   the activity.\n                                                                   Assess the Y2K impact on the Enterprise. Identify core business areas\n                                                                   and processes, inventory and analyze systems supporting the core\n                                             Assessment            business areas, and prioritize their conversion or replacement.\n                                                                   Develop contingency plans to handle data exchange issues, lack of\nProgram & Project                                                  data, and bad data. Identify and secure the necessary resources.\n   Management\n                                                                   Convert, replace, or eliminate selected platforms, applications,\n                                             Renovation\n                                                                   databases, and utilities. Modify interfaces.\n                                                                   Test, verify, and validate converted or replaced platforms,\n                                                                   applications, databases, and utilities. Test the performance,\n                                            Validation             functionality, and integration of converted or replaced platforms,\n                                                                   applications, databases, utilities, and interfaces in an operational\n                                                                   environment\n\n                                                                   Implement converted or replaced platforms, applications, databases,\n                                          Implementation           utilities, and interfaces. Implement data exchange contingency plans,\n                                                                   if necessary.\n\n\n\n\n                                                                     15\n\x0c                         Appendix D. NASA Inventory Items Reviewed\n\n\n\nTo meet the objectives of our audit, we judgmentally selected NASA Y2K inventory items for\ndetailed review. We reviewed the items and supporting documentation to determine whether\nadequate processes were in place to identify all components8 and to assess Y2K compliance. Our\nsample, based largely on high-risk systems, included the items listed below.\n\nAmes Research Center\n\n\xe2\x80\xa2   Numerical Aerospace Simulation System\n\xe2\x80\xa2   FML Wind Tunnel\n\xe2\x80\xa2   National Full-Scale Aerodynamics Complex 80 x 120 Wind Tunnel Unique Systems\n\xe2\x80\xa2   Wind Tunnel Network\n\xe2\x80\xa2   Electrical Power Infrastructure\n\xe2\x80\xa2   Center Network Operations\n\xe2\x80\xa2   Center Gateway Services\n\xe2\x80\xa2   Business Systems\n\xe2\x80\xa2   Ames Communication and Data System for Space Station Hardware and Software\n\nGlenn Research Center\n\n\xe2\x80\xa2   Business and Financial Applications\n\xe2\x80\xa2   Combustible Gas Detection System\n\xe2\x80\xa2   Proprietary Protective Signaling System\n\nGoddard Space Flight Center\n\n\xe2\x80\xa2   Business and Administrative Systems\n\xe2\x80\xa2   X-Ray Timing Explorer Control System\n\xe2\x80\xa2   X-Ray Timing Explorer Flight Controller\n\xe2\x80\xa2   Gamma Ray Observatory Control System\n\xe2\x80\xa2   Gamma Ray Observatory Flight System\n\xe2\x80\xa2   White Sands Systems\n\xe2\x80\xa2   Mission Operations Support Area System\n\n\n\n\n8\n Components are all aspects that make up a particular system or inventory item. Components generally consisted of\nhardware, operating systems and subsystems, COTS application software, and internally developed system and\napplication software.\n\n\n                                                           16\n\x0c                                                                               Appendix D\n\n\nJet Propulsion Laboratory\n\n\xe2\x80\xa2   The Ocean Topography Experiment (TOPEX/Poseiden) Ground System\n\xe2\x80\xa2   Deep Space Network and Multi-Mission Ground Data Systems\n\nJohnson Space Center\n\n\xe2\x80\xa2   Software Production Facility\n\xe2\x80\xa2   Mission Control Center\n\nKennedy Space Center\n\n\xe2\x80\xa2   Checkout, Control, and Monitor Subsystem\n\xe2\x80\xa2   Kennedy Inventory and Management System\n\xe2\x80\xa2   Central Data Subsystem\n\xe2\x80\xa2   Shuttle Data Center\n\xe2\x80\xa2   Payload Data Management System\n\xe2\x80\xa2   Payload Checkout System\n\xe2\x80\xa2   Shuttle Processing Data Management System/Integrated Work Control Center\n\xe2\x80\xa2   Financial Management Systems\n\xe2\x80\xa2   Record and Playback System\n\xe2\x80\xa2   Microwave Scanning Beam Landing System\n\xe2\x80\xa2   Shuttle Operational Data Network\n\nMarshall Space Flight Center\n\n\xe2\x80\xa2   Space Shuttle Data Base\n\xe2\x80\xa2   NASA Payroll/Personnel System\n\xe2\x80\xa2   X-34 Systems\n\xe2\x80\xa2   Computer Access Control Systems\n\n\n\n\n                                               17\n\x0c                          Appendix E. Report Distribution\n\n\n\nNational Aeronautics and Space Administration (NASA) Headquarters\n\nA/Administrator\nAI/Associate Deputy Administrator\nAO/Chief Information Officer\nB/Chief Financial Officer\nB/Comptroller\nBF/Director, Financial Management Division\nC/Associate Administrator for Headquarters Operations\nG/General Counsel\nH/Associate Administrator for Procurement\nJ/Associate Administrator for Management Systems\nJM/Director, Management Assessment Division\nL/Associate Administrator for Legislative Affairs\nM/Associate Administrator for Space Flight\nP/Associate Administrator for Public Affairs\nQ/Associate Administrator for Safety and Mission Assurance\nR/Associate Administrator for Aero-Space Technology\nR/Chief Information Officer Representative\nS/Associate Administrator for Space Science\nU/Associate Administrator for Life and Microgravity Sciences and Applications\nY/Associate Administrator for Earth Science\nZ/Associate Administrator for Policy and Plans\n\nNASA Centers\n\nDirector, Ames Research Center\nDirector, John H. Glenn Research Center at Lewis Field\nDirector, Goddard Space Flight Center\nDirector, Lyndon B. Johnson Space Center\nDirector, John F. Kennedy Space Center\n Chief Counsel, Kennedy Space Center\nDirector, George C. Marshall Space Flight Center\nDirector, NASA Management Office, Jet Propulsion Laboratory\n\n\n\n\n                                                 18\n\x0c                                                                                   Appendix E\n\n\nNon-NASA Federal Organizations and Individuals\n\nAssistant to the President and Chair, President\'s Council on Y2K Conversion\nAssistant to the President for Science and Technology Policy\nDirector, Office of Management and Budget\nDeputy Associate Director, Energy and Science Division, Office of Management\n and Budget\nBranch Chief, Science and Space Programs Branch, Energy and Science Division, Office of\n Management and Budget\nAssociate Director, National Security and International Affairs Division, Defense Acquisitions\n Issues, General Accounting Office\nProfessional Assistant, Senate Subcommittee on Science, Technology, and Space\n\nChairman and Ranking Minority Member -- Congressional Committees and Subcommittees\n\nSenate Committee on Appropriations\nSenate Subcommittee on VA, HUD, and Independent Agencies\nSenate Committee on Commerce, Science, and Transportation\nSenate Subcommittee on Science, Technology, and Space\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on VA, HUD, and Independent Agencies\nHouse Committee on Government Reform and Oversight\nHouse Subcommittee on National Security, Veteran Affairs, and International Relations\nHouse Committee on Science\nHouse Subcommittee on Space and Aeronautics\n\nCongressional Member\n\nHonorable Pete Sessions, U.S. House of Representatives\n\n\n\n\n                                                  19\n\x0cMajor Contributors to This Report\n\nBrent Melson, Program Director, Information Assurance Audits\n\nClara Lyons, Auditor-in-Charge\n\nBrenda Conley, Auditor\n\nJames Geith, Auditor\n\nMike Morigeau, Auditor\n\nMindy Vuong, Auditor\n\nMark Zielinski, Auditor\n\nNancy C. Cipolla, Report Process Manager\n\nPat Reid, Program Assistant\n\x0c'